VIRUS-L Digest Tuesday, 28 Mar 1989 Volume 2 : Issue 73 Today's Topics: KillVirus Init (Mac) Transposing Virus (PC) Re: anti-virus recommendations UK Computer threat research association --------------------------------------------------------------------------- Date: Sun, 26 Mar 89 00:38:49 +0100 From: David Stodolsky Subject: KillVirus Init (Mac) KillVirus Init for Mac "KillVirus", a startup document for the Mac, was found to be infected with "nVIR" by Interferon 3.1. The infection was confirmed by Virus Rx. The information box indicated its size to be "979 bytes used, 1K on disk". The creations date was "Tue, Sep 10, 1985, 10:08 AM", Modified "Tue, Mar 22, 1988, 9:14 AM". Version indicated "not available". The icon was a generic document. The document was never used, just placed in my "Anti-virus" folder. I have deleted the document from my hard disk and taken no further action. I ran the checks after an attempt to start a shareware program "Concentration", which I thought was a game, caused a screen disruption, a buzz from speaker, and a system restart (Mac SE, System 6.0.2, Multi-finder 6.0.1. I had Vaccine version 1.0, without expert mode on.) When I tried to copy "Concentration" to a folder on the hard disk, I got an error, but my copy of the original (a whole disk copy) to another floppy disk had worked. An attempt to recopy the original back to the same floppy after deleting the game (and emptying the trash) gave a error indicating a failure on the target disk! Checking this disk with "Disk First Aid" found it to be OK. This made me think that a virus check of the disk was in order, but no virus was found on it. Later I tried another whole disk copy to the same target disk that failed with an "unknown error" message. After reinitializing the target disk a whole disk copy worked, and it was possible to move the Concentration application to a folder on the hard disk. An attempt to execute it again led to the system hanging, and I had to do a restart manually ( by pressing the programmer's key). I had rebuilt the desktop after the initial crash, so that might explain the different behavior. Or maybe it was because the Concentration application was run before any other application the last time I tried it. Is this really an infection, or is "KillVirus" an init that happens to trigger both of these anti-virus programs? ****************** Interferon Report ***************** Interferon 3.1 - Version of 16 May 88 - 1988 Robert Woodhead, Inc. - All Rights Reserved - ------------ lines deleted---------------- (002) 04/07/88 "nVIR" Virus - --------------lines deleted------------------- Checking for viral infections on volume "HD0" INFECTION: Type 002 virus detected in file: HD0: applications: Anti-viral: KillVirus ALERT! Volume "HD0" may be infected! Consult listing to determine the details. Interferon run completed! 2197 files were scanned, of which 207 had resource forks. ******************** Virus Rx report ********************** Volume: HD0 Thursday, March 23, 1989 8:30 PM User: Virus Rx - v1.4a1 These files are infected with a known virus Remove these files from your disk INIT ???? KillVirus :applications:Anti-viral: Last modified Tuesday, March 22, 1988 9:14 AM SUMMARY: ***** FATAL infected files: 1 !!!!! You appear to have a virus !!!! !!!!! Clean this volume !!!! !!!!! See Virus Rx README !!!! ****************************************************** David Stodolsky diku.dk!stodol@uunet.UU.NET Department of Psychology Voice + 45 1 58 48 86 Copenhagen Univ., Njalsg. 88 Fax. + 45 1 54 32 11 DK-2300 Copenhagen S, Denmark stodol@DIKU.DK ------------------------------ Date: Sun, 26 Mar 1989 00:52:18 EST From: Steve Subject: Transposing Virus (PC) Ross M. Greenberg wrote about a virus that randomly tranposed characters but kept track of all the transpositions in a hidden file called BUG.DAT: > . > . > . >The virus, after spreading to all .COM and .EXE files in the current >directory, would look for an open operation on a .DBF file. All >writes to the file would have two bytes transposed at random. These >bytes' offsets were stored in a file called "BUG.DAT" (a hidden file) >in the .DBF's directory. Subsequent reads of this data would cause >the transposition of the same data, and everything would look nifty. >After this code had run for 90 days (after the BUG.DAT file was 90 >days old), it would trash the disk (eat the FAT and root directory). > >Getting rid of the virus wasn't difficult: just copy in new >executables from your backup. However! If you did this, your data is >history - nothing to transpose it back into "real" form. Just some comments: So the virus must keep all the .DBF file names and all their transposed characters in the file called BUG.DAT? It seems to me that if you made the mistake of getting rid of the infected *.EXE file it wouldn't be a disaster because you'd probably still have the hidden file BUG.DAT somewhere and could always recreate the infected file (provided you had or could import another file infected with the virus). All this brings up a good point: If one day I found that my computer was infected with a virus, *before doing anything*, I'd first make a backup of all the files on my disk (hidden files too!). Then I'd try to verify that all my data files (anything that wasn't an .exe or .com file) on the backup were identical to the originals on the main disk and hopefully intact. Then I'd go to work trying to eliminate the infection. If something went wrong, then I'd still have my backup. This is reasonably safe unless one encounters a virus like the one Ross describes, only which hides the transposed-character information in a file in a sector marked bad (even though it isn't bad), and then (for example) you reformat the original disk (a disaster because you'd lose BUG.DAT). So, though it's more trouble, it's always safer to "uninfect" a copy of your infected disk if possible. Finally, if you're really unlucky and the virus contains a bomb, it could blow still blow up before you get all your files "un-transposed" Steven C. Woronick | Disclaimer: Always check it out for yourself... Physics Dept. | SUNY at | Stony Brook, NY 11794 | Acknowledge-To: ------------------------------ Date: Mon, 27 Mar 89 14:17:59 EST From: Neil Goldman Subject: Re: anti-virus recommendations Roman Olynyk provides us with the anti-virus recommendations from Computer World. There is one with which I disagree (to an extent). In regard to shareware and PD software, I do believe that users should be cautioned that they are the primary (though not exclusive) source of viruses do to their widespread availability. As you are all aware, users will obtain a copy from a friend, business associate, or even a bulletin board. Since in the first two, and periodically in the third, no controls exist to prevent the corruption of the product from its original form (which for the sake of argument I assume did not have any malicious intent). However, I do not believe that an end to PD and shareware is called for. In the vast majority of cases, they are excellent products, often rivaling their industry-marketed counterparts. As an alternative to the Computer World suggestion, I recommend that IF users want to take advantage of this software, they should contact the ORIGINAL AUTHOR for a copy. Presumably, his product is *uncorrupted*. Then, if a virus does then become introduced into your system and you have documented the source of all data and programs existing on your system, the source of the virus is determinable. Or rather, no virus *should* infect the system to begin with. *************************************************************** *Neil A. Goldman NG44SPEL@MIAMIU.BITNET* * * * Replies, Concerns, Disagreements, and Flames expected * * Mastercard, Visa, and American Express not accepted * *************************************************************** Acknowledge-To: ------------------------------ Date: Tue, 28 Mar 89 10:33:16 BST From: David.J.Ferbrache Subject: UK Computer threat research association For those of you interested an umbrella organisation has been established in the UK to co-ordinate information on, and research into all aspects of computer security. In the first instance one of the organisations primary concerns will be combatting the threat posed by computer viruses by acting as a clearing house for virus information and control software. Below is a copy of an initial letter mailed to prospective members: The Computer Threat Research Association The computer threat research association, CoTra is a non-profit making organisation that exists to research, analyse, publicise and find solutions for threats to the integrity and reliability of computer systems. The issue that caused the formation of CoTra was the rise of the computer virus. This problem has since become surrounded by fear, uncertainty and doubt. To the average user the computer virus and its implications are a worry of an unknown scale. To a few unfortunates whose systems have become a critical issue. The key advantage of CoTra membership will be access to advice and information. Advice will be provided through publications, an electronic conference (a closed conference for CoTra's members has been created on the Compulink CIX system) as well as other channels such as general postings direct to members when a new virus is discovered. CoTra membership will be available on a student, full or corporate member basis. All software that is held by CoTra that enhances system reliability, such as virus detection and removal software, will be available to all members. It is intended to establish discounts with suppliers of reliability tools and services. A library of virus sources and executables and other dangerous research material will be made available to members who have a demonstrable need. A register of consultants who have specific skills in the systems reliability field will be published by CoTra and reviews of reliability enhancing software will be produced. Your support of CoTra will ensure that you have the earliest and most accurate information about potential threats to your computer systems. CoTra, The computer threat research association, c/o 144 Sheerstock, Haddenham, Bucks. HP17 8EX - ---------------------------------------------------------------------------- Part of the organisations aims is to establish reciprocal links with other similar organisations worldwide to facilitate the sharing of experience and rapid flow of information on new threats. To this end if you are involved in, or have contacts with, a similar organisation in your country, please write to CoTra (or by email to me, and I will forward your correspondence) outlining your organisation and its aims. Yours sincerely - ------------------------------------------------------------------------- Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253